First I want to mention and warn that this post will not show how to resolve the issue with the sync errors regarding too large extension attributes.

This post here resp. the steps were originally from my post below about how to resolve that issue and is now outsourced here. The reason for outsourcing these steps into a separate post is to clearly highlight and warn that the following steps are not meant to imitate in your own environment and be the cause for the sync error.

Unfortunately some readers of the origin post, where these steps was shown but also mentioned to not configure it, apparently and according to a Microsoft escalation engineer, misunderstood it as solution and configured these steps in their own environment and then of course also runs into that error. Finally the hit at the MS Support.



This post here will show how I exactly ran into that issue and therefore of course is not designed to imitate the steps as they will lead to the error itself!

So again! Don’t configure the steps below in your environment! They only intended to show why and how you can also ran into that error!


If I myself had known the fact,

that the thumbnailPhoto attribute is synced only one time between Azure AD and Exchange Online. Any later changes to the attribute from the on-premises environment are not synced to Exchange Online.

in the first place, than I wouldn’t ever ran into that error!


In my case I determined, that if a users thumbnailPhoto attribute was updated in on-premise and synced successfully to Azure AD, nevertheless wasn’t updated in Exchange Online.

So I thought I could use the Azure AD Connect directory extensions below to select the thumbnailPhoto (user) [Binary] attribute to sync it to Azure AD to solve the update problem, which the day after turned out as a dumb idea 🙂 .

Again! Don’t do the following steps in your environment!!!

The origin thumbnailPhoto attribute from your on-premise AD, will be synced by default within a core set of attributes to Azure AD and therefore you do not have to use and select any of the directory extensions below!



After adding the extension attribute above I was getting an email the next day with the subject

We detected synchronization errors in your directory


By clicking on see Sync Error Report it shows me the following sync errors. (The amount of Large Attribute is now 7 instead of 8 as seen in the email, because this is my lab environment and I made some changes to test this behavior.)


Clicking on one of the users will show us more details.

The object failed to be synchronized because one or more the attributes were larger than the allowed limit of size or length or count. Update the attribute to follow the limits.

extension_d925dac931f54e76b9992b75abc3b9a6_thumbnailPhoto

The directory extension attributes are prefixed with extension _{ApplicationId}_.
ApplicationId has the same value for all attributes in your Azure AD tenant.


That is exactly my newly created directory extension attribute I never needed and shouldn’t sync additionally.


You will also see synchronization errors using the Synchronization Service Manger which is installed along with Azure AD Connect.

Here you can see in the Operations tab all processes, we are interested in the Export process for the braintestingde.onmicrosoft.com – AAD connector, which is directly connected with Azure AD and in charge of updating, adding or deleting the objects and attributes in Azure AD.

More about these processes you will find in my following post
https://blog.matrixpost.net/azure-ad-connect-sync-architecture-simplified/

Here you can also see the 7 users with the sync error Large Attribute resp. ExceededAllowLength.

You can also see that the attribute was never updated as the old value is blank.



So but why the hell, the thumbnailPhoto attribute from on-premise now suddenly exceed the allowed limit of size? The size is still not exceeded the 100 KB limit for Azure AD and has not changed.

Well the reason for is, that the 100 KB limit is only valid for the origin by default synced thumbnailPhoto attribute from the core set of attributes, which will be synced with Azure AD.

In my case, I selected a directory extension attribute which also should sync the thumbnailPhoto attribute as source.

Regarding the following article from Microsoft, the limit for binary extensions is 256 bytes and not 100 KB as for the default thumbnailPhoto attribute from the core set of synced attributes by default to Azure AD.

Azure Active Directory limits
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#active-directory-limits

Schema extensions -> Binary-type extensions are limited to 256 bytes.

String-type extensions can have a maximum of 256 characters.
Only 100 extension values, across all types and all applications, can be written to any single Azure AD resource.
Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.


Here the binary extension exceeded the 256 bytes and therefore the value of this extension attribute cannot be added to the Azure AD.

I wanted to check if it works with a thumbnailPhoto below the 256 bytes limit, so I replaced the photo from Joe Average with one of 144 bytes.

As you can see in the screenshot below, now the thumbnailPhoto attribute from on-premise is synced using the extension attribute in Azure AD successfully.

You can see that the extension_d925dac931f54e76b9992b75abc3b9a6_thumbnailPhoto extension attribute now have a value assigned to.

# Using the Azure AD PowerShell cmdlet
$UserId = (Get-AzureADUser -SearchString <UPN>).ObjectId
Get-AzureADUser -ObjectId $UserId | Select -ExpandProperty ExtensionProperty


You can also use Microsoft Graph to check the value

# Using Microsoft Graph
https://graph.microsoft.com/beta/users/{Object ID}$select=extension_{ApplicationID}_(AttributeName)

https://graph.microsoft.com/beta/users/7dfe3115-4247-403a-8f4d-9bfd9ef006dc?$select=extension_d925dac931f54e76b9992b75abc3b9a6_thumbnailPhoto


So now the sync errors are reduced from 7 to 6 users, as the thumbnailPhoto attribute from John Average, doesn’t anymore exceed the 256 bytes limit for the new extension attribute.


But this is not the solution to get rid of the sync errors above, to reduce the size below 256 bytes for the thumbnailPhoto in on-premises.

As mentioned, we doesn’t really need this new extension attribute to sync the thumbnailPhoto attribute to Azure AD, as it is synced by default within a core set of attributes anyway to Azure AD and here the limit is 100 KB.

Btw. 256 bytes is also far too little for user photos.




As mentioned at the beginning this post was only intended to show you how and why you can run into that sync issue and not to do regarding too large extension attributes.

How to solve that issue you will see in my following post.